Skip to content

Scan Docker images #533

Scan Docker images

Scan Docker images #533

Workflow file for this run

# Snyk scanning steps are marked continue-on-error because there are often
# vulnerabilities that may have no possible remediation (e.g. glibc
# vulnerabilities in the Debian base). We want to be *informed* about the
# vulns, but we cannot have them be blockers to releasing images.
name: Scan Docker images
on:
workflow_dispatch: {}
schedule:
- cron: "0 0 * * *"
env:
DOCKER_ORG: pulumi
DISPATCH_REF: ${{ github.event.client_payload.ref }}
jobs:
kitchen-sink:
name: All SDKs images
runs-on: ubuntu-latest
strategy:
matrix:
image: ["pulumi", "pulumi-provider-build-environment"]
include:
# For the pulumi image add a the nonroot variant
- suffix: -nonroot
image: pulumi
steps:
- uses: actions/checkout@master
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/${{ matrix.image }}:${{ env.PULUMI_VERSION }}${{ matrix.suffix }}
args: --severity-threshold=high --file=docker/pulumi/Dockerfile
base:
name: Base image
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os: ["debian", "ubi"]
arch: ["arm64", "amd64"]
steps:
- uses: actions/checkout@master
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }}-${{ matrix.arch }}
args: --severity-threshold=high --file=docker/base/Dockerfile.${{ matrix.os }}
define-debian-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.define-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@master
- name: Define Matrix
id: define-matrix
run: |
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT"
debian-sdk:
name: Debian SDK images
runs-on: ubuntu-latest
needs: define-debian-matrix
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.define-debian-matrix.outputs.matrix) }}
steps:
- uses: actions/checkout@master
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Set image name
run: |
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.IMAGE_NAME }}
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian
ubi-sdk:
name: UBI SDK images
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
sdk: ["nodejs", "python", "dotnet", "go"]
steps:
- uses: actions/checkout@master
- name: Set version
run: |
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
- name: Snyk scan
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}:${{ env.PULUMI_VERSION }}-ubi
args: --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.ubi